Bug ID 675772: IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy

Last Modified: Dec 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,

Fixed In:

Opened: Jul 26, 2017

Severity: 4-Minor


When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.


IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.


Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy. Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.


(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector. (2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Fix Information

By design the implementation does not allow ipsec-policy instances to be shared, under interface mode tunnels, because the tunnel IP addresses used by the interface mode tunnel get pushed into the ipsec-policy instance. In effect, they must match. You can select a dummy IP address for the tunnel into the ipsec-policy, but these are ignored and replaced by the IP addresses of the interface mode tunnel at runtime. When an ipsec-policy is shared, it will have the wrong tunnel IP addresses for one or more of the interface mode tunnels.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips